Slash::ResKey
For years we've had these things called "formkeys" in Slash, which are small tokens that sit in a form and make sure you can't submit a form without getting one first. It's tied to your account or IP address, and you can't use a form without one.
Also, formkeys allowed us to easily make sure you have not used a form more than $n times, or more often than $x times in $y seconds, and so on. It helped us curb lots of different sorts of abuse.
Well, formkeys have lots of problems, including that they were hard to use (and so often were not used), could be abused by exploiting lack of atomicity, were hard to add new checks to, and so on.
So enter reskeys. A reimplementation of the same basic idea.
You have a resource (say, journal) and that resource has certain requirements: you must be a registered user, with seclev greater than 0; you cannot use more than 30 forms in four hours; you cannot submit more than one journal every 30 seconds; and so on. Each of these checks is implemented by a class, and a table in the database keeps track of which classes to check in order to create reskey (get a new form), touch a reskey (preview the journal), or use a reskey (save the journal entry). And a bunch of variables are defined in another table, which are used by the classes.
So to use reskeys in the code, you just add those rows to the database tables, then call my $rkey =$reskey->key("journal") in your code, then call $rkey->create (or touch, or use) as appropriate. Call [% PROCESS reskey_tag %] in your form. And if there's an error (because the call to create/touch/use returned false), call $rkey->errstr to get the error string to show to the user.
Simple and neat. So now Zoo and Journal are ported to Slash::ResKey. If this journal entry gets posted, it means SOAP is working with it, too. And if you get any problems about invalid resources etc., do let me know.
Also, formkeys allowed us to easily make sure you have not used a form more than $n times, or more often than $x times in $y seconds, and so on. It helped us curb lots of different sorts of abuse.
Well, formkeys have lots of problems, including that they were hard to use (and so often were not used), could be abused by exploiting lack of atomicity, were hard to add new checks to, and so on.
So enter reskeys. A reimplementation of the same basic idea.
You have a resource (say, journal) and that resource has certain requirements: you must be a registered user, with seclev greater than 0; you cannot use more than 30 forms in four hours; you cannot submit more than one journal every 30 seconds; and so on. Each of these checks is implemented by a class, and a table in the database keeps track of which classes to check in order to create reskey (get a new form), touch a reskey (preview the journal), or use a reskey (save the journal entry). And a bunch of variables are defined in another table, which are used by the classes.
So to use reskeys in the code, you just add those rows to the database tables, then call my $rkey =$reskey->key("journal") in your code, then call $rkey->create (or touch, or use) as appropriate. Call [% PROCESS reskey_tag %] in your form. And if there's an error (because the call to create/touch/use returned false), call $rkey->errstr to get the error string to show to the user.
Simple and neat. So now Zoo and Journal are ported to Slash::ResKey. If this journal entry gets posted, it means SOAP is working with it, too. And if you get any problems about invalid resources etc., do let me know.
Leave a comment